Neal Hindocha, a senior security consultant for Trustwave, has built proof-of-concept 'screenlogging' malware that monitors finger swipes on smart devices in combination with taking screenshots, painting a picture of exactly how the user is interacting with their phone or tablet.

Hindocha's concept malware logs the X and Y coordinates of any swipe or touch. Speaking with Forbes, Hincocha says it wasn't much hassle to get the code running on jailbroken iOS and rooted Android devices, and that it's possible to get it working on regular Android smartphones, provided they are plugged into a PC - for example, while charging by USB.

Trustwave was examining financial malware on the Windows platform and wanted to see if similar methods could be applied to mobile. Keylogging has been a typical component for financial Windows malware, and there are apps that already log keyboard inputs on smart devices. But Hindocha says the finance industry is moving away from using typical keyboard inputs, whether it is with a PIN code or another kind of password.

Recording touch screen coordinates "has a certain value in itself," Hindocha says. "If you're monitoring all touch events and the phone hasn't been touched for at least one hour, then you get a minimum of four touch events, you can assume that is a PIN code being entered."

"The more interesting thing is, if you get a screenshot and then overlay the touch events, you're looking at a screenshot of what the user is seeing, combined with dots, sequentially, where the user is touching the screen."

The end result, Hindocha explains, is that it doesn't matter how a user inputs the information: all of it is going to be captured.

It's also possible to figure out where on the device the user is at a given time - you can set the code to take screenshots only when a user is in an app rather than on the home screen to avoid racking up a lot of disk space.

This kind of attack is probably not something most users will have to worry about. Running malware like this on an industrial scale would be labor intensive, as it's difficult to automate or search through images for relevant information.

From a social engineering perspective, though, it could have its uses.

"It's more likely this could be used against specific users or companies," Hindocha says. "Targeted attacks are likely vectors."

Hindocha hopes that by demonstrating his concept at the upcoming RSA Security conference, he will help make app developers and companies with high security requirements understand the importance of issues that, if ignored, could potentially leave people or businesses wide open.